Hi,

So, you want to know about “CJIS Certification”; well, we all do. When I say we, I’m including the folks who created, modify, teach, and enforce the CJIS Security Policy (CJISSECPOL). I consider myself part of that group because my focus is still along those lines.

The reason why we want to know more about this is because it doesn’t exist; to borrow a phrase -“there ain’t no such thing.”

In all of my years at the Florida Department of Law Enforcement (FDLE), working with the FBI, and working on the FBI’s CJIS Advisory Policy Board (APB) Security and Access Subcommittee, no one has developed or bestowed “CJIS Certified!”

While at FDLE, I used to get calls all the time from law enforcement agencies asking me “is this vendor CJIS Certified?”, or telling me “that vendor says they are CJIS Certified.” My response, the response from the FBI, and the other Information Security Officers (ISOs) from around the country was “there is no CJIS certification”.

If someone tells you they are CJIS Certified, ask them “who certified you?”, and then tell them to show you the documentation from the process.

Even the term CJIS Compliant is a kind of will-o-the-wisp. Compliance is based on a moment in time, and is dependent on numerous variables, and whether or not all pertinent information was provided to the auditor.

One minor divergence in those variables, and you’re out of compliance. Again, in my years as an auditor, I cited agencies for non-compliance issues, and some responses were “we weren’t out of compliance for the last audit”. That may have been the findings on the previous audit report, however based on the current review, they were out of compliance.

You ask “What are we going to do?” You need a contractor or vendor who can comply with the CJIS Security Policy. If there is no certification process, how do you know your vendor can meet those standards. This is where CJIS ACE can give you a hand.

No one can make anything CJIS Certified, but the good news is CJIS ACE helps you getas close as possible. CJIS ACE has specifically designed a five-step process to help agencies, businesses and applications be CJIS Ready:

1. Knowledge Transfer – Development of an in-depth compliance profile tailored to your organization’s business operations;

2. Process Evaluation – Completion of an extensive review of your organization’s physical and electronic security controls to identify compliance gaps;

3. Compliance Mitigation – Creation of a detailed mitigation roadmap needed to achieve CJIS Readiness;

4. Remediation Development – Consultation with the with your organization to discuss how to fix any identified compliance issues;

5. Continued Assessment – Follow up with your organization to ensure up-to-date CJIS Readiness.

We use the Requirements and Tiering Document as our foundation for this process. So, we are going through each and every “shall” statement to determine applicability and compliance gaps.

We called it CJIS Ready because it’s not a certification process. At completion of our process, your organization or business is ready to meet the compliance requirements defined in the CJIS Security Policy. It’s the closest thing to “CJIS Certification” that you’re going find.

This process applies to any entity that uses criminal justice information: criminal justice agencies, non-criminal justice agencies, private organizations, businesses and vendors.

If you have questions, give us a call at (850) 656-3333 or send me an email lcoffee@diversecomputing.com; we can help you ensure that your organization is ready to comply with CJIS requirements.

Y’all take care.